Forum Discussion

Johan Pauly's avatar
Johan Pauly
Brass Contributor
Jul 04, 2019
Solved

Creating dynamic groups with custom attribute

We want to create several groups based on the value that we fill into the field CustomAttribute1.    Our environment is not AD Synced. We're working in the cloud with all our applications and servi...
Azure Active Directory (AAD)
Identity Management
microsoft 365
headburgh's avatar
headburgh
MCT
Jul 04, 2019
Yeah, right. The ExtensionAttribute you are referring to is present on the Exhange Mailbox?

Azure AD dynamic group rules does not as to my knowledge let you use Exchange Extension Attributes from out-of-the box.

Since you also stated that there is no AAD Connect Sync in place, I would try another attribute. The ExtensionAttributes reffered to in https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#extension-properties-and-custom-extension-properties are those coming from on-prem AD via sync.
  • Johan Pauly's avatar
    Johan Pauly
    Brass Contributor
    Jul 05, 2019
    That is also what I thought. But I was not sure about it.
    As your said, these ExtensionAttributes are present on the Exchange mailbox. About using another attribute, it's difficult. We want to use a specific value to populate these groups.
    Thanks for your answers.
    • Tom_K-----------'s avatar
      Tom_K-----------
      Copper Contributor
      Sep 10, 2019

      Hello,

       

      you can use custom properties for membership of dynamic azure ad groups without on permises AD sync.
      However, these custom properties are not the ones you can set in EAC!

      Despite them being called "onPremisesExtensionAttributes", you can use them without ad sync.

      The rules you can make with them for dynamic azure AD group membership, are much more powerful than the EAC custom attributes (which you can use only for dynamic distribution groups, not for azure ad dynamic groups), you'll like it!


      The recommended way to get/set these properties is using ms graph (as far as I could find out, there exists a - more complex - way for setting them with powershell,  but I could find no way to retrieve them with powershell).

      To get these custom  properties (and check there's no on premises sync):

      GET https://graph.microsoft.com/v1.0/users/<idhttps://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<idhttps://graph.microsoft.com/v1.0/users/<id</id<>

      https://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<id
       "onPremisesExtensionAttributes": {
           "extensionAttribute1": "any string you like",
           "extensionAttribute2": "another string",
           "extensionAttribute3": null,
           "extensionAttribute4": null,
           "extensionAttribute5": null,
           "extensionAttribute6": null,
           "extensionAttribute7": null,
           "extensionAttribute8": null,
           "extensionAttribute9": null,
           "extensionAttribute10": null,
           "extensionAttribute11": null,
           "extensionAttribute12": null,
           "extensionAttribute13": null,
           "extensionAttribute14": null,
           "extensionAttribute15": null
       }
      }

      https://graph.microsoft.com/v1.0/users/<id

      https://graph.microsoft.com/v1.0/users/<idhttps://developer.microsoft.com/en-us/graph/graph-explorer).

       

      More info here: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

      and here: https://docs.microsoft.com/en-us/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0

       

       

      Best regards,

       

      Tom

      • Tom_K-----------'s avatar
        Tom_K-----------
        Copper Contributor
        Sep 10, 2019

        My post above appearded a little screwed up, hope the commands will be readable this time:

         

        getting:

        GET https://graph.microsoft.com/v1.0/users/id_or_<id< a="">principa</id<>lname_here?$select=onPremisesSyncEnabled,onPremisesExtensionAttributes

         

        setting:

        PATCH https://graph.microsoft.com/v1.0/users/id_or_<id< a="">principa</id<>lname_here

        with  a request body like this:

        {
             "onPremisesExtensionAttributes": {
                  "extensionAttribute1": "any string you want",
                  "extensionAttribute2": "some other string",
                  "extensionAttribute3": null,
                  "extensionAttribute4": null,
                  "extensionAttribute5": null,
                  "extensionAttribute6": null,
                  "extensionAttribute7": null,
                  "extensionAttribute8": null,
                  "extensionAttribute9": null,
                  "extensionAttribute10": null,
                  "extensionAttribute11": null,
                  "extensionAttribute12": null,
                  "extensionAttribute13": null,
                  "extensionAttribute14": null,
                  "extensionAttribute15": null
             }
        }

Resources